The tricky case is a bucket which is otherwise private but contains individual files that were uploaded with a public ACL (or had the ACL modified, of course). This is not made apparent anywhere in the interface (by which I mean there isn't some big "public" sticker), and is part of what this feature is trying to address.